You’ve faced the compliance dragon before, and you may have gotten burned. Last year’s compliance cycle was brutal, and this year won’t be any different. Unless you can slay that dragon.
This is part 2 in our series on taking control of compliance management in 2019. Just now joining the conversation? Check out the rest of the series:
- Survey the landscape of your compliance certification requirements
- Evaluate your vendors and auditors (this post)
- Build your budget
- Choose the best compliance tools
- Streamline compliance management
- Recruit your compliance team
- Train your people
- Automate ongoing compliance tasks
Our last article started our journey to take control of your compliance management process. You’ve figured out your compliance landscape—what certifications you need, and which ones are a priority to get under control. Now it’s time to gather your allies and assess your third-party partners—specifically, your auditors and your vendors. In this article, you’ll be asking if you have the auditors you need (and any you don’t need), and whether or not your vendors are effectively meeting your compliance needs.
Your compliance auditors and vendors are your partners in compliance. But to be effective, you need the right partnerships. Too much redundancy, or inadequate vendors, and you’re multiplying your work. For the CISO fighting to gain control of their compliance, it’s just like giving Sisyphus a bigger rock to roll!
Handpicked related content: How to End Compliance Chaos for Good in 2019
Evaluate Your Assessment Needs
Once you’ve identified all of the certifications you need, it’s time to figure out which ones need third-party attestation. In other words, which of your certifications must be audited by an independent compliance assessor? You want to get this right for two reasons:
- Your company could lose clients (or worse) if you get caught without an auditor.
- It will be a waste of money to pay for an assessment you don’t need.
How do you know which certifications require a third-party auditor? Carefully review the requirements and regulations for each certification. Also check your contracts with customers, vendors and partners. These agreements may make you contractually obliged to a third-party assessment (regardless of the requirements of the certification).
In some cases, you may opt to undergo audits, even if they aren’t required. Usually, that’s because it provides a competitive advantage, or the certification is extremely important to your organization. If your company truly cares about its security, it is critical to get third-party, objective insight into the compliance state of your organization. Too many companies place blind faith in their internal IT departments to secure the environment—yet very few IT personnel have the experience or objectivity to implement what’s needed, even if they have been in IT for years.
Pick Your Players
Next, streamline your audit process as much as possible. You might discover that you have a glut of auditors and vendors that are redundant with each other. That can happen over time as your compliance needs grow organically, or if different departments hire their own vendors.
Ask your compliance team, “How can we streamline or maximize the efficiency of our compliance management process, based on the players involved?” You don’t want too many cooks in the kitchen, because they’ll all be fighting over the same pots and pans and trying to use the stove at the same time!
For example, I know one organization who uses three different assessment firms for six different certifications. That creates a lot of redundant communication and coordination over the year. They’re sharing hundreds of the same files with multiple auditors and answering the same questions multiple times. Audits need to be scheduled around each other, and employees have to answer the same questions multiple times whenever they’re interviewed. That’s just insane. Imagine how much easier and efficient it would be for them if they just had one auditor!
If you have multiple auditors assessing different certifications, see if you can roll everything into one assessment firm. You’ll save your company time, money and annoyance.
Do the same kind of review of your vendors. Do multiple suppliers offer the same services? If so, you’re hounding more vendors for compliance evidence and coordinating through more bureaucracy than you need to. Maybe your IT support company can also provide printer support. Perhaps you’re using a couple different shredding services and you didn’t realize it. If so, let one of the vendors go and trim the fat.
Now you only need to ask one vendor for their compliance evidence. That streamlines your compliance process and reduces the number of plates you’ve got to keep spinning. The more you can reduce the number of players in the game, the less overwhelming your compliance process will be—and the faster it’ll be!
Who you hire is just as important as how many vendors you hire. Look for suppliers that are compliant themselves, whenever you can. If your vendor isn’t compliant, that means you’re responsible for overseeing their processes and security practices. But if they undergo compliance certification themselves (preferably with a third party), that can make your life a heck of a lot easier.
Do Some Digging into Your Vendors
Are your vendors compliant? Good! Are they actually covering what you think they’re covering? Better check. For example, if your cloud hosting company is a big cloud provider, you could be in for a big surprise.
For example, many companies mistakenly believe that just because AWS or Azure hosts their data, all of their certification needs are covered. In reality, they cover the barebones basics for the infrastructure, leaving the rest to you. Look at the AOC and make sure you know what you’ll be responsible for.
That goes for all of your outsourced providers. Always know exactly where the lines of responsibility fall.
Do you suspect that your vendor doesn’t really know what they’re doing when it comes to security and compliance, regardless of their documentation? Don’t just hope for the best—find out. There are two ways to confirm your vendors are doing their job:
- Hire a third party to perform a risk assessment on the organization. The assessment will tell you where the non-technical risks are, and you’ll learn a lot from that process. For example, you’ll see if the vendor services are well-staged for what they need to be doing, and how well they’re following policies and procedures.
- Hire a third-party penetration test. Look for a firm that truly cares about your security. Don’t hire someone who is just a penetration testing order-taker. Penetration testing firms are like a wild west of the IT world these days with varying capabilities and a lot of waste—expect better.
Some thoughts about penetration testing companies. You could get quotes that range anywhere from $5k to $45k, for the same scope of a test. At the low end, you’re primarily getting a tools-based approach, a scanning approach. A lot of testers will call this a penetration scan, which is basically a vulnerability scan with custom tests that they automate. But it doesn’t give your organization the depth of testing you need to meet certification requirements.
At the other end of the scale is the equivalent of a small army of ninjas running all over your building trying to break in and use social engineering. It’s overly manual, and way more than the kind of testing your organization needs.
Chances are, you just need something in the middle of the spectrum. You don’t want to fluff the tests, because the point is to be secure and compliant. You also don’t need all the bells and whistles of the high-end pen test.
Whichever route you take, there’s no reason to continue using a vendor who doesn’t have their security and compliance under control. Not only does it mean more work for you, it also places your organization at greater risk if something happens on the supplier’s end. Know for sure you’re using the best vendors to take care of your needs.
The Right Team for Compliance Success!
When it comes to slaying the compliance dragon, you need to have a team of allies you can count on. It needs to be lean, and you need to know they’ve got your back. If you’ve got too many players getting in the way, who aren’t equipped to support you, you’ll have a hard time taking control of your compliance mess.
There really is a better way to take control of all of your compliance information. TCT Portal connects the dots between your internal resources, vendors, auditors and your clients to make sure each and every certification is completed in a cohesive, coordinated manner.
See how easy it can be—schedule your live demo today.